Use Azure DevOps Git Artefacts with PAT

[Kraego]

Summary

Connect a private AzureDevOps Git Repo, with PAT (Combined Token: Authenticity + Secret). As the documentation stated, I tried:
Then, connect the repository using any non-empty string as username and the access token value as a password see.
where I used the PAT as access token.

The Error I'm getting on the argo-cd Side: git did not exit cleanly (exit code 128)

Use Cases

When having the config (kustomize) stored in an AzureDevOps Git Repo.

My setup:

• Argo CD: v2.0.1+33eaf11
• AzureDevops2020 - Version Dev18.M170.8 (on premise)

According to microsoft docs the only working solution is http header basic auth (but thats just a ugly workaround and not suitable for production use):

MY_PAT=yourPAT		# replace "yourPAT" with your actual PAT
B64_PAT=$(printf "%s"":$MY_PAT" | base64)
git -c http.extraHeader="Authorization: Basic ${B64_PAT}" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

---

Message from the maintainers:

Seems to be the same problem like #6362

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

[Kraego]

Spawned from #5235.

[mohanrajatnetapp]

Adding ADO repo as https repo, with any non-empty username and PAT in place of password works fine. I am using

{
    "Version": "v2.0.4+0842d44"
}

[Kraego]

Upgraded to Version

{
    "Version": "v2.0.4+0842d44"
}

The initial connect works (as before), but strangely the Name column in the repos table is also empty ....

But when I'm creating a App I still get:

Unable to create application: application spec is invalid: 
InvalidSpecError: 
Unable to get app details: rpc error: code = Internal 
desc = Failed to fetch fe43f82efbf3b5d9f0f538ffe83ce3d927ff5e3e: `git fetch origin --tags --force` failed exit status 128: 
fatal: Authentication failed for [Repo URI ...]

@mohanrajatnetapp: Are you working on a on-Premise DevOps Instance or in the cloud?

[Kraego]

Seems to be the same problem like #6362

[mohanrajatnetapp]

Upgraded to Version

{
    "Version": "v2.0.4+0842d44"
}

The initial connect works (as before), but strangely the Name column in the repos table is also empty ....

But when I'm creating a App I still get:

Unable to create application: application spec is invalid: 
InvalidSpecError: 
Unable to get app details: rpc error: code = Internal 
desc = Failed to fetch fe43f82efbf3b5d9f0f538ffe83ce3d927ff5e3e: `git fetch origin --tags --force` failed exit status 128: 
fatal: Authentication failed for [Repo URI ...]

@mohanrajatnetapp: Are you working on a on-Premise DevOps Instance or in the cloud?

Cloud Azure DevOps.
I was aware of the issue but went ahead set it up it and it works.

[Kraego]

Okay we are using Azure Devops Server 2020, so maybe it‘s just a Problem of the on prem version.

[bobertrublik]

No updates yet? :( Same issues with Azure Devops on-premise.

[AtzeDeVries]

So if you create a PAT for a user (not just a PAT for a specific repo, which is only available in non azdo server) and then create a random username it works.

---
apiVersion: v1
kind: Secret
metadata:
  name: azdo-<redacted>-repo-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  type: git
  url: https://dev.azure.com/<redacted>
  password: <redacted>
  username: argocd

[alkdese]

So if you create a PAT for a user (not just a PAT for a specific repo, which is only available in non azdo server) and then create a random username it works.

---
apiVersion: v1
kind: Secret
metadata:
  name: azdo-<redacted>-repo-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  type: git
  url: https://dev.azure.com/<redacted>
  password: <redacted>
  username: argocd

My app is in a failed state. Message:

rpc error: code = Unknown desc = Get "https://myorg@dev.azure.com/myorg/myproj/_git/git-repo-name/info/refs?service=git-upload-pack": EOF

[jannfis]

Just as a heads-up, we presumably found the root cause for this, refer to #11914 - with that implemented, Azure DevOps on-prem should work using HTTPS with Argo CD without any workarounds.

[kirkpabk]

There may be other things happening here...

Had a similar issue in the past with GIT repositories. Depending on the host configurations and perhaps hardening, inline PATs (in the url) no longer work. Must pass a base64 authentication header such as:

Authorization: Basic Om9uNWt0bGfakeVkcXlvbaTZsaXFpYzJhNjfakeZsbm5zcGJuaHFtcnlvdWo3bmEzMnNu9GE=

which would have the Base64 representation of ":myPAThere" (empty user name, : and PAT value).

$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($PAT)"))
$header = "Authorization: Basic $token"

In GIT, for instance, we can get around the inline PAT by passing an http.extraheader= to the --config-env parameter.

I don't think that ArgoCD is implementing this usecase or provides an ability to add an extra header. Would be great if they'd provide an option to include extraheader (or similar) values for folks with hardened platforms.